Skip to content

Got SIEM? – Part III

November 13, 2008

Continuing our review of the limitations of today’s SIEM solutions, the next issue is scalability.  Because events are the core data component that SIEM products capture, their performance is generally measured in the number events per second (eps) the can capture and process.  While many commercial SIEM platforms can scale to large environments (for example, over 100,000eps), they require a significant investment in distributed hardware to do so.  Moreover, while most solutions are adept at capturing these large volumes of data, correlating the data into reports, monitors, and alerts across these event repositories is another matter – and more importantly, doing so in a reasonable amount of time is nearly impossible.

The eps issue is primarily one of product architecture; collecting massive numbers of events (and in a limited number of cases, additional data that SIEM tools can capture) requires increasingly distributed, tiered architectures.  Add encryption and compression on top of the collection of data (which is the required for secure collection), and the problem is exacerbated even further.  The biggest problem that this can lead to is dropping data – if a single critical event points to a major security issue, and that event is dropped by the SIEM, the consequences could be devastating for the organization.

The slow correlation and reporting issue is due, by and large, to the fact that most SIEM solutions are back-ended by general-purpose relational databases, such as Microsoft SQL Server and Oracle.  While these general-purpose databases have the necessary performance to support large quantities of event data generated by enterprise environments, even when tuned using high-performance customized triggers, stored procedures, and platform-specific performance enhancements, general-purpose databases simply can’t provide the necessary performance requirements to ensure speedy correlation across massive volumes of enterprise event data.  SIEM platform vendors should give significant consideration to developing purpose-built data repositories to support the high data volumes and fast correlation and analysis times demanded by enterprise users.

Next up: Proactive vs. reactive – why SIEM today is behind the operational curve.

No comments yet

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: